Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2016.1162 sol35358312: TCP vulnerability CVE-2015-8099 11 May 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: F5 products Publisher: F5 Networks Operating System: Network Appliance Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-8099 Original Bulletin: https://support.f5.com/kb/en-us/solutions/public/k/35/sol35358312.html - --------------------------BEGIN INCLUDED TEXT-------------------- sol35358312: TCP vulnerability CVE-2015-8099 Security Advisory Original Publication Date: 05/10/2016 Vulnerability Description Under limited conditions, an invalid TCP segment can lead to a Denial of Service for the High-Speed Bridge (HSB) on the following platforms: 3900, 6900, 8900, 8950, 11000, 11050, PB100 or PB200. This issue is only exposed on virtual servers while Software SYN cookies are configured for use and currently engaged. The scope of the exposure is limited to the BIG-IP data plane. The access vector is network based and authentication is not a requirement for attack. There is no control plane exposure to this issue. (CVE-2015-8099) Impact Invalid TCP segment can lead to a Denial of Service (DoS) for BIG-IP platforms that contain the High-Speed Bridge (HSB). Security Issue Status F5 Product Development has assigned ID 542314 (BIG-IP) and ID 558389 (BIG-IQ and Enterprise Manager) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table: Product Versions known to be vulnerable Versions known to be not vulnerable Severity Vulnerable component or feature BIG-IP LTM 12.0.0 12.0.0 HF1 Severe Virtual servers 11.6.0 11.6.1 11.5.0 - 11.5.3 11.5.4 11.3.0 - 11.4.1 11.4.1 HF10 11.0.0 - 11.2.1 10.1.0 - 10.2.4 BIG-IP AAM 12.0.0 12.0.0 HF1 Severe Virtual servers 11.6.0 11.6.1 11.5.0 - 11.5.3 11.5.4 11.4.0 - 11.4.1 11.4.1 HF10 BIG-IP AFM 12.0.0 12.0.0 HF1 Severe Virtual servers 11.6.0 11.6.1 11.5.0 - 11.5.3 11.5.4 11.3.0 - 11.4.1 11.4.1 HF10 BIG-IP Analytics 12.0.0 12.0.0 HF1 Severe Virtual servers 11.6.0 11.6.1 11.5.0 - 11.5.3 11.5.4 11.3.0 - 11.4.1 11.4.1 HF10 11.0.0 - 11.2.1 BIG-IP APM 12.0.0 12.0.0 HF1 Severe Virtual servers 11.6.0 11.6.1 11.5.0 - 11.5.3 11.5.4 11.3.0 - 11.4.1 11.4.1 HF10 11.0.0 - 11.2.1 10.1.0 - 10.2.4 BIG-IP ASM 12.0.0 12.0.0 HF1 Severe Virtual servers 11.6.0 11.6.1 11.5.0 - 11.5.3 11.5.4 11.3.0 - 11.4.1 11.4.1 HF10 11.0.0 - 11.2.1 10.1.0 - 10.2.4 BIG-IP DNS 12.0.0 12.0.0 HF1 Severe Virtual servers BIG-IP Edge Gateway 11.3.0 11.0.0 - 11.2.1 Severe Virtual servers 10.1.0 - 10.2.4 BIG-IP GTM 11.6.0 11.6.1 Severe Virtual servers 11.5.0 - 11.5.3 11.5.4 11.3.0 - 11.4.1 11.4.1 HF10 11.0.0 - 11.2.1 10.1.0 - 10.2.4 BIG-IP Link Controller 12.0.0 12.0.0 HF1 Severe Virtual servers 11.6.0 11.6.1 11.5.0 - 11.5.3 11.5.4 11.3.0 - 11.4.1 11.4.1 HF10 11.0.0 - 11.2.1 10.1.0 - 10.2.4 BIG-IP PEM 12.0.0 12.0.0 HF1 Severe Virtual servers 11.6.0 11.6.1 11.5.0 - 11.5.3 11.5.4 11.3.0 - 11.4.1 11.4.1 HF10 BIG-IP PSM 11.3.0 - 11.4.1 11.4.1 HF10 Severe Virtual servers 11.0.0 - 11.2.1 10.1.0 - 10.2.4 BIG-IP WebAccelerator 11.3.0 11.0.0 - 11.2.1 Severe Virtual servers 10.1.0 - 10.2.4 BIG-IP WOM 11.3.0 11.0.0 - 11.2.1 Severe Virtual servers 10.1.0 - 10.2.4 ARX None 6.0.0 - 6.4.0 Not vulnerable None Enterprise Manager 3.0.0 - 3.1.1 None Low Virtual servers* FirePass None 7.0.0 Not vulnerable None 6.0.0 - 6.1.0 BIG-IQ Cloud 4.0.0 - 4.5.0 None Low Virtual servers* BIG-IQ Device 4.2.0 - 4.5.0 None Low Virtual servers* BIG-IQ Security 4.0.0 - 4.5.0 None Low Virtual servers* BIG-IQ ADC 4.5.0 None Low Virtual servers* BIG-IQ Centralized Management 4.6.0 None Low Virtual servers* BIG-IQ Cloud and Orchestration 1.0.0 None Low Virtual servers* LineRate None 2.5.0 - 2.6.1 Not vulnerable None F5 WebSafe None 1.0.0 Not vulnerable None Traffix SDC None 4.0.0 - 4.4.0 Not vulnerable None 3.3.2 - 3.5.1 *Although the BIG-IQ and Enterprise Manager software contains the vulnerable code, these products do not expose virtual server objects, or use the vulnerable code in a way that exposes the vulnerability in a standard configuration. Vulnerability Recommended Actions If you are running a version listed in the Versions known to be vulnerable column, you can eliminate this vulnerability by upgrading to a version listed in the Versions known to be not vulnerable column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists. F5 responds to vulnerabilities in accordance with the Severity values published in the previous table. The Severity values and other security vulnerability parameters are defined in SOL4602: Overview of the F5 security vulnerability response policy. Identifying log messages relevant to the vulnerability The primary means of identifying the vulnerability is by locating the relevant log messages in the /var/log/ltm file. For the HSB lockup to occur, the system must be operating in Syncookie mode. Therefore, you should look for two logs in proximity. First, you should see a log message indicating that the Syncookie threshold was exceeded. The message appears similar to the following example: warning tmm[PID]: 01010038:4: Syncookie threshold 1993 exceeded, virtual = 10.11.12.13:443 Note: The actual threshold value will vary. Second, you should see an HSB lockup message. The message appears similar to the following example: crit tmm[PID]: 01230111:2: Interface 0.1: HSB DMA lockup on transmitter failure. Note: The lockup by itself is not necessarily indicative of this vulnerability, as other issues may produce the same log message. However, if both the platform and software version are within the vulnerable set as indicated above, presence of the error messages may indicate exposure to the vulnerability. Mitigating the vulnerability F5 strongly encourages you to upgrade to a fixed release to mitigate this issue. However, if you are unable to upgrade at this time, contact F5 Technical Support to obtain an iRule mitigation. Supplemental Information SOL9970: Subscribing to email notifications regarding F5 products SOL9957: Creating a custom RSS feed to view new and updated documents SOL4918: Overview of the F5 critical issue hotfix policy SOL167: Downloading software and firmware from F5 SOL13123: Managing BIG-IP product hotfixes (11.x - 12.x) - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVzK75n6ZAP0PgtI9AQLzHA/+MmAvBUdR8SJUPWTkUx1UFSDufaCT+aIV /i63jR5eLw+DWTb/hzIWq7Hci6Poy+9N4nQGKz8MQ3qhIElmsMq9tWWh2PzoJttK 2Y09wpBpFPuIiDMFeafEnsoZ6UFiBgwZUgvZTul/vtfJYaOiV46DYD3VsINS8tVu WwxdP91rZwq/3MkUOBB3BvgUiiZKVA3hUTk5cx+vqlgqXFnvTVx7YQj8LQMJr4xN nJ8Yc5jHoa8xkfsRQJGv2RrqWMz7c7BYmHYwt6+4VSUvfj2VTjBqSQQnIhT1xxoF jrx+SKUBlB0zPx7s3gkgBGwu5aFakaXgppRIjkU6mo3wLpwSxl0skhBGjvWi2wXE s6cKVn/z/knYEMXWzTncjhKU5yGDVbr0R/vqfldzPwvM9SYaJ8kt7ak9x+D0m8WR cg1zf9KRzY0YuLvXcxWpY9YPz12i5daAD7gJ9x6xSk8QJ5bC0J0r+E7DC3hNYWft N7VJmfnwByGKgbpaha4ZpoTtZF0gizxnMHIf5facPQ304vgpUg+7Uobz73+GmkLU IiqMUycBZHByjYhQMywQ1/6m2h3hGIB5s66RaAG1JMRnsBESlixVaLeJjJ1syV/U LsKBVZKAWThui2Ej7/1YnPtpz9BQUN2kMfxJYpIhzAhCyOdV2XsBnYacev0X2qpt ShrlzA0T6NU= =Kg+r -----END PGP SIGNATURE-----